Back

Incorporate simulated events into the continuity plan training.


CONTROL ID
01402
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Train personnel on the continuity plan., CC ID: 00759

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization shall conduct training under conditions as close as possible to the actual environment. If this is difficult, the training may be conducted by desktop simulation. (O83.3(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The primary method to train the staff on the execution of recovery plans and their roles is by conducting exercises. This also helps to identify gaps and weaknesses in the plans. (§ 5.6 ¶ 3, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization must incorporate simulated events into the contingency training. (CSR 5.6.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriat… (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:3 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure the organization simulates events into their training sessions. Test organizational personnel by simulating disaster events to ensure they respond as expected. Interviews should be conducted with personnel who lead the training sessi… (CP-3(1), CP-3.9, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should use simulated events for continuity training. (SG.IR-3 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should incorporate simulated events into the continuity training to help obtain effective responses by personnel during actual crisis situations. (App F § CP-3(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. (CP-3(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)